1// SPDX-License-Identifier: GPL-2.0-only
  2/*
  3 * AppArmor security module
  4 *
  5 * This file contains AppArmor functions for unpacking policy loaded
  6 * from userspace.
  7 *
  8 * Copyright (C) 1998-2008 Novell/SUSE
  9 * Copyright 2009-2022 Canonical Ltd.
 10 *
 11 * Code to provide backwards compatibility with older policy versions,
 12 * by converting/mapping older policy formats into the newer internal
 13 * formats.
 14 */
 15
 16#include <linux/ctype.h>
 17#include <linux/errno.h>
 18
 19#include "include/lib.h"
 20#include "include/policy_unpack.h"
 21#include "include/policy_compat.h"
 22
 23/* remap old accept table embedded permissions to separate permission table */
 24static u32 dfa_map_xindex(u16 mask)
 25{
 26	u16 old_index = (mask >> 10) & 0xf;
 27	u32 index = 0;
 28
 29	if (mask & 0x100)
 30		index |= AA_X_UNSAFE;
 31	if (mask & 0x200)
 32		index |= AA_X_INHERIT;
 33	if (mask & 0x80)
 34		index |= AA_X_UNCONFINED;
 35
 36	if (old_index == 1) {
 37		index |= AA_X_UNCONFINED;
 38	} else if (old_index == 2) {
 39		index |= AA_X_NAME;
 40	} else if (old_index == 3) {
 41		index |= AA_X_NAME | AA_X_CHILD;
 42	} else if (old_index) {
 43		index |= AA_X_TABLE;
 44		index |= old_index - 4;
 45	}
 46
 47	return index;
 48}
 49
 50/*
 51 * map old dfa inline permissions to new format
 52 */
 53#define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) | \
 54				    ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
 55#define dfa_user_xbits(dfa, state) (((ACCEPT_TABLE(dfa)[state]) >> 7) & 0x7f)
 56#define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f)
 57#define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f)
 58#define dfa_user_xindex(dfa, state) \
 59	(dfa_map_xindex(ACCEPT_TABLE(dfa)[state] & 0x3fff))
 60
 61#define dfa_other_allow(dfa, state) ((((ACCEPT_TABLE(dfa)[state]) >> 14) & \
 62				      0x7f) |				\
 63				     ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
 64#define dfa_other_xbits(dfa, state) \
 65	((((ACCEPT_TABLE(dfa)[state]) >> 7) >> 14) & 0x7f)
 66#define dfa_other_audit(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 14) & 0x7f)
 67#define dfa_other_quiet(dfa, state) \
 68	((((ACCEPT_TABLE2(dfa)[state]) >> 7) >> 14) & 0x7f)
 69#define dfa_other_xindex(dfa, state) \
 70	dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
 71
 72/**
 73 * map_old_perms - map old file perms layout to the new layout
 74 * @old: permission set in old mapping
 75 *
 76 * Returns: new permission mapping
 77 */
 78static u32 map_old_perms(u32 old)
 79{
 80	u32 new = old & 0xf;
 81
 82	if (old & MAY_READ)
 83		new |= AA_MAY_GETATTR | AA_MAY_OPEN;
 84	if (old & MAY_WRITE)
 85		new |= AA_MAY_SETATTR | AA_MAY_CREATE | AA_MAY_DELETE |
 86		       AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_OPEN;
 87	if (old & 0x10)
 88		new |= AA_MAY_LINK;
 89	/* the old mapping lock and link_subset flags where overlaid
 90	 * and use was determined by part of a pair that they were in
 91	 */
 92	if (old & 0x20)
 93		new |= AA_MAY_LOCK | AA_LINK_SUBSET;
 94	if (old & 0x40)	/* AA_EXEC_MMAP */
 95		new |= AA_EXEC_MMAP;
 96
 97	return new;
 98}
 99
100static void compute_fperms_allow(struct aa_perms *perms, struct aa_dfa *dfa,
101				 aa_state_t state)
102{
103	perms->allow |= AA_MAY_GETATTR;
104
105	/* change_profile wasn't determined by ownership in old mapping */
106	if (ACCEPT_TABLE(dfa)[state] & 0x80000000)
107		perms->allow |= AA_MAY_CHANGE_PROFILE;
108	if (ACCEPT_TABLE(dfa)[state] & 0x40000000)
109		perms->allow |= AA_MAY_ONEXEC;
110}
111
112static struct aa_perms compute_fperms_user(struct aa_dfa *dfa,
113					   aa_state_t state)
114{
115	struct aa_perms perms = { };
116
117	perms.allow = map_old_perms(dfa_user_allow(dfa, state));
118	perms.audit = map_old_perms(dfa_user_audit(dfa, state));
119	perms.quiet = map_old_perms(dfa_user_quiet(dfa, state));
120	perms.xindex = dfa_user_xindex(dfa, state);
121
122	compute_fperms_allow(&perms, dfa, state);
123
124	return perms;
125}
126
127static struct aa_perms compute_fperms_other(struct aa_dfa *dfa,
128					    aa_state_t state)
129{
130	struct aa_perms perms = { };
131
132	perms.allow = map_old_perms(dfa_other_allow(dfa, state));
133	perms.audit = map_old_perms(dfa_other_audit(dfa, state));
134	perms.quiet = map_old_perms(dfa_other_quiet(dfa, state));
135	perms.xindex = dfa_other_xindex(dfa, state);
136
137	compute_fperms_allow(&perms, dfa, state);
138
139	return perms;
140}
141
142/**
143 * compute_fperms - convert dfa compressed perms to internal perms and store
144 *		    them so they can be retrieved later.
145 * @dfa: a dfa using fperms to remap to internal permissions
146 *
147 * Returns: remapped perm table
148 */
149static struct aa_perms *compute_fperms(struct aa_dfa *dfa)
150{
151	aa_state_t state;
152	unsigned int state_count;
153	struct aa_perms *table;
154
155	AA_BUG(!dfa);
156
157	state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
158	/* DFAs are restricted from having a state_count of less than 2 */
159	table = kvcalloc(state_count * 2, sizeof(struct aa_perms), GFP_KERNEL);
160	if (!table)
161		return NULL;
162
163	for (state = 0; state < state_count; state++) {
164		table[state * 2] = compute_fperms_user(dfa, state);
165		table[state * 2 + 1] = compute_fperms_other(dfa, state);
166	}
167
168	return table;
169}
170
171static struct aa_perms *compute_xmatch_perms(struct aa_dfa *xmatch)
172{
173	struct aa_perms *perms;
174	int state;
175	int state_count;
176
177	AA_BUG(!xmatch);
178
179	state_count = xmatch->tables[YYTD_ID_BASE]->td_lolen;
180	/* DFAs are restricted from having a state_count of less than 2 */
181	perms = kvcalloc(state_count, sizeof(struct aa_perms), GFP_KERNEL);
182
183	/* zero init so skip the trap state (state == 0) */
184	for (state = 1; state < state_count; state++)
185		perms[state].allow = dfa_user_allow(xmatch, state);
186
187	return perms;
188}
189
190static u32 map_other(u32 x)
191{
192	return ((x & 0x3) << 8) |	/* SETATTR/GETATTR */
193		((x & 0x1c) << 18) |	/* ACCEPT/BIND/LISTEN */
194		((x & 0x60) << 19);	/* SETOPT/GETOPT */
195}
196
197static u32 map_xbits(u32 x)
198{
199	return ((x & 0x1) << 7) |
200		((x & 0x7e) << 9);
201}
202
203static struct aa_perms compute_perms_entry(struct aa_dfa *dfa,
204					   aa_state_t state,
205					   u32 version)
206{
207	struct aa_perms perms = { };
208
209	perms.allow = dfa_user_allow(dfa, state);
210	perms.audit = dfa_user_audit(dfa, state);
211	perms.quiet = dfa_user_quiet(dfa, state);
212
213	/*
214	 * This mapping is convulated due to history.
215	 * v1-v4: only file perms, which are handled by compute_fperms
216	 * v5: added policydb which dropped user conditional to gain new
217	 *     perm bits, but had to map around the xbits because the
218	 *     userspace compiler was still munging them.
219	 * v9: adds using the xbits in policydb because the compiler now
220	 *     supports treating policydb permission bits different.
221	 *     Unfortunately there is no way to force auditing on the
222	 *     perms represented by the xbits
223	 */
224	perms.allow |= map_other(dfa_other_allow(dfa, state));
225	if (VERSION_LE(version, v8))
226		perms.allow |= AA_MAY_LOCK;
227	else
228		perms.allow |= map_xbits(dfa_user_xbits(dfa, state));
229
230	/*
231	 * for v5-v9 perm mapping in the policydb, the other set is used
232	 * to extend the general perm set
233	 */
234	perms.audit |= map_other(dfa_other_audit(dfa, state));
235	perms.quiet |= map_other(dfa_other_quiet(dfa, state));
236	if (VERSION_GT(version, v8))
237		perms.quiet |= map_xbits(dfa_other_xbits(dfa, state));
238
239	return perms;
240}
241
242static struct aa_perms *compute_perms(struct aa_dfa *dfa, u32 version)
243{
244	unsigned int state;
245	unsigned int state_count;
246	struct aa_perms *table;
247
248	AA_BUG(!dfa);
249
250	state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
251	/* DFAs are restricted from having a state_count of less than 2 */
252	table = kvcalloc(state_count, sizeof(struct aa_perms), GFP_KERNEL);
253	if (!table)
254		return NULL;
255
256	/* zero init so skip the trap state (state == 0) */
257	for (state = 1; state < state_count; state++)
258		table[state] = compute_perms_entry(dfa, state, version);
259
260	return table;
261}
262
263/**
264 * remap_dfa_accept - remap old dfa accept table to be an index
265 * @dfa: dfa to do the remapping on
266 * @factor: scaling factor for the index conversion.
267 *
268 * Used in conjunction with compute_Xperms, it converts old style perms
269 * that are encoded in the dfa accept tables to the new style where
270 * there is a permission table and the accept table is an index into
271 * the permission table.
272 */
273static void remap_dfa_accept(struct aa_dfa *dfa, unsigned int factor)
274{
275	unsigned int state;
276	unsigned int state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
277
278	AA_BUG(!dfa);
279
280	for (state = 0; state < state_count; state++)
281		ACCEPT_TABLE(dfa)[state] = state * factor;
282	kvfree(dfa->tables[YYTD_ID_ACCEPT2]);
283	dfa->tables[YYTD_ID_ACCEPT2] = NULL;
284}
285
286/* TODO: merge different dfa mappings into single map_policy fn */
287int aa_compat_map_xmatch(struct aa_policydb *policy)
288{
289	policy->perms = compute_xmatch_perms(policy->dfa);
290	if (!policy->perms)
291		return -ENOMEM;
292
293	remap_dfa_accept(policy->dfa, 1);
294
295	return 0;
296}
297
298int aa_compat_map_policy(struct aa_policydb *policy, u32 version)
299{
300	policy->perms = compute_perms(policy->dfa, version);
301	if (!policy->perms)
302		return -ENOMEM;
303
304	remap_dfa_accept(policy->dfa, 1);
305
306	return 0;
307}
308
309int aa_compat_map_file(struct aa_policydb *policy)
310{
311	policy->perms = compute_fperms(policy->dfa);
312	if (!policy->perms)
313		return -ENOMEM;
314
315	remap_dfa_accept(policy->dfa, 2);
316
317	return 0;
318}